Re: Setting Issuer Alternative Name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/14/23 14:00, Viktor Dukhovni wrote:

On Sun, May 14, 2023 at 12:44:48PM -0400, Robert Moskowitz wrote:


I looked at that manpage and tried:

authorityKeyIdentifier =
otherName:1.3.27.16.2.1.1;BITSTR:20010030000000052aeb9adc1ce8b1ec

https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1

        AuthorityKeyIdentifier ::= SEQUENCE {
           keyIdentifier             [0] KeyIdentifier           OPTIONAL,
           authorityCertIssuer       [1] GeneralNames            OPTIONAL,
           authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }

You're trying to set the AKID to just the GeneralName, but it has to be
a tagged sequence,
I did spend some time digging to get what a "tagged sequence" is let alone represent  it but can't find it in 5280 


  and note that "authorityCertIssuer" is the name of
the "grandparent" of the certificate in which the AKID appears, along
with the authorityCertIssuer you'd need to provide the serial number
of the parent certificate.


The two together seems only mandated in sec A.2.
I am not finding any discussion on authorityCertIssuer being that of the "grandparent", can you point me to that? 


But as I mentioned before, I don't expect that support for names other
than directory names in the AKID extension is particularly common.


Well I could put:

e.d.c.a.b.0.b.e.0.6.8.2.e.0.b.9.5.0.8.f.f.3.e.f.f.3.0.0.1.0.0.2.ip6.arpa.
? It will exist (we are for now doing this under driptesting.org as it will be a bit of process to get 3.0.0.1.0.0.2.ip6.arpa. delegated). 

But that is 73 bytes to show a 16 byte value.


You're better off with just "keyIdentifier", liking the child cert
to the key if of the parent cert.


I assume you mean:

authorityKeyIdentifier = keyid

and I can't see how to set keyid to 20010030000000052aeb9adc1ce8b1ec

I can control subjectKeyIdentifier like:

subjectKeyIdentifier = 20010030000000052aeb9adc1ce8b1ec

            X509v3 Subject Key Identifier:
                20:01:00:30:00:00:00:05:2A:EB:9A:DC:1C:E8:B1:EC

Which is defined as:

SubjectKeyIdentifier ::= KeyIdentifier


I tried

authorityKeyIdentifier = keyid=20010030000000052aeb9adc1ce8b1ec

And get an error

authorityKeyIdentifier = keyid:20010030000000052aeb9adc1ce8b1ec

Just uses the keyid as is:

            X509v3 Authority Key Identifier:
0F:4E:5E:54:C2:4F:80:9E:E5:79:CD:B4:14:9B:BF:EB:A8:57:CB:CA





Perhaps I should not have mentioned issuer SANs, you probably have no
use for them.  Do use the appropriate data type in the EE SAN.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux